Bug#863562: jessie-pu: package libonig/5.9.5-3.2

To: Jörg Frings-Fürst <debian@jff-webhosting.net>, 863562@bugs.debian.org
Subject: Bug#863562: jessie-pu: package libonig/5.9.5-3.2
From: Cyril Brulebois <kibi@debian.org>
Date: Wed, 28 Jun 2017 02:25:53 +0200
Message-id: <[🔎] 20170628002553.GA6234@mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 863562@bugs.debian.org
In-reply-to: <149598951902.4649.574268925272911060.reportbug@merkur>
References: <149598951902.4649.574268925272911060.reportbug@merkur>

Control: tag -1 confirmed

Hi Jörg,

Jörg Frings-Fürst <debian@jff-webhosting.net> (2017-05-28):
> I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's:
> 
>  CVE-2017-9224
>  CVE-2017-9226
>  CVE-2017-9227
>  CVE-2017-9228
>  CVE-2017-9229
> 
> ready, The debdiff is attached.

It seems there was some kind of coordination with the security team,
since I see “no-dsa” mentioned in the security tracker, but feel free
to mention this upfront in your next pu requests.

A few remarks:
 - patch -p1 was unhappy with the debian/patches/series update. :)
 - funny things, using square brackets in filenames.

I suspect it would have been nice to have separate patches for each
bug fix, in case someone needs to dig into one or another, but oh
well, having them all lumped together isn't that bad.

A few comments:
> diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog
> --- libonig-5.9.5/debian/changelog	2014-12-28 12:11:12.000000000 +0100
> +++ libonig-5.9.5/debian/changelog	2017-05-28 16:59:55.000000000 +0200
> @@ -1,3 +1,15 @@
> +libonig (5.9.5-3.2+deb8u1) stable; urgency=medium

Please always use codenames, and target jessie instead.

> +  * New debian/patches/0500-CVE-2017-922[4-9].patch:
> +    - Cherrypicked from upstream to correct:
> +      + CVE-2017-9224 (Closes: #863312)
> +      + CVE-2017-9226 (Closes: #863314)
> +      + CVE-2017-9227 (Closes: #863315)
> +      + CVE-2017-9228 (Closes: #863316)
> +      + CVE-2017-9229 (Closes: #863318)
> +
> + -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Sun, 28 May 2017 16:59:55 +0200

[…]

> --- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch	1970-01-01 01:00:00.000000000 +0100
> +++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch	2017-05-26 07:07:41.000000000 +0200
> @@ -0,0 +1,121 @@
> +Correct CVE-2017-922[4-9]
> + Fix mutilple invalid pointer dereference, out-of-bounds write memory 
> + corruption and stack buffer overflow,
> +Origin: Cheerypicked from upstream

(multiple & cherrypicked)

With the target distribution (and maybe typos) fixed, feel free to
upload; thanks.


KiBi.

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Processed: Re: Bug#863862: jessie-pu: package multipath-tools/0.5.0-6+deb8u2
Next by Date: Processed: Re: Bug#863562: jessie-pu: package libonig/5.9.5-3.2
Previous by thread: Processed: Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
Next by thread: Processed: Re: Bug#863562: jessie-pu: package libonig/5.9.5-3.2
Index(es):
- Date
- Thread